

116 S1457 IS: Sharing Urgent, Potentially Problematic Locations that Yield Communications Hazards in American Internet Networks Act of 2019
U.S. Senate
2019-05-14
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



II116th CONGRESS1st SessionS. 1457IN THE SENATE OF THE UNITED STATESMay 14, 2019Mrs. Blackburn (for herself and Mr. Cornyn) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and TransportationA BILLTo provide for interagency coordination on risk mitigation in the communications equipment and
			 services marketplace and the supply chain thereof, and for other purposes.
	
 1.Short titleThis Act may be cited as the Sharing Urgent, Potentially Problematic Locations that Yield Communications Hazards in American Internet Networks Act of 2019 or the SUPPLY CHAIN Act of 2019.
		2.Interagency coordination on risk mitigation in the communications equipment and services
			 marketplace and the supply chain
			 thereof
 (a)DefinitionsIn this section: (1)Appropriate committees of CongressThe term appropriate committees of Congress means—
 (A)the Committee on Commerce, Science, and Transportation, the Committee on Foreign Relations, the Committee on Armed Services, the Committee on the Judiciary, the Committee on Homeland Security and Governmental Affairs, and the Select Committee on Intelligence of the Senate; and
 (B)the Committee on Energy and Commerce, the Committee on Foreign Affairs, the Committee on Armed Services, the Committee on the Judiciary, the Committee on Homeland Security, and the Permanent Select Committee on Intelligence of the House of Representatives.
 (2)Appropriate Federal entityThe term appropriate Federal entity means— (A)the Department of Defense;
 (B)the Department of Energy; (C)the Department of Homeland Security;
 (D)the Department of Justice; (E)the Department of Transportation;
 (F)the Department of the Treasury; and (G)the Office of the Director of National Intelligence.
 (3)Classified informationThe term classified information means any information or material that has been determined by the Federal Government pursuant to an Executive order, statute, or regulation, to require protection against unauthorized disclosure for reasons of national security.
 (4)Communications equipment and servicesThe term communications equipment and services includes any hardware, software, or other product or service primarily intended to fulfill or enable the function of information processing and communications by electronic means, including transmission and display, including over the internet.
 (5)RiskThe term risk means any aspect or property of the components of communications equipment and services or the associated supply chain that may be used to gain unauthorized access to a communications network, disrupt a communications network, disrupt the manufacture of communications equipment, disrupt consensus-driven industry standards for communications equipment and services, or otherwise harm a communications network or the users of the network, including gaining unauthorized access to data or redirecting data.
 (6)SecretaryThe term Secretary means the Secretary of Commerce. (7)Supply chainThe term supply chain, with respect to communications equipment and services—
 (A)means the network of persons and activities from source to delivery of the equipment and services; and
 (B)includes— (i)vendors, suppliers, and providers of the equipment and services; and
 (ii)persons who manufacture, assemble, develop, or test the equipment and services. (b)Ongoing reviewConsistent with the protection of classified information, the Secretary shall, in coordination with the head of each appropriate Federal entity, conduct an ongoing review of risks to the communications equipment and services marketplace and the supply chain thereof.
			(c)Long-Term scenario and strategic planning
 (1)Development, issuance, and implementation of proceduresNot later than 180 days after the date of enactment of this section, consistent with the protection of classified information, the Secretary, in coordination with the head of each appropriate Federal entity, shall—
 (A)develop and issue procedures to regularly facilitate— (i)long-term scenario and strategic planning with private entities that have appropriate security clearances to review classified information about risks, including by—
 (I)assessing the severity of risks posed to the marketplace of individual components of communications equipment and services and the supply chain thereof;
 (II)identifying counterfeit communications equipment and services in the marketplace; (III)assessing the ability of foreign governments or third parties to exploit the marketplace in a manner that raises risks;
 (IV)identifying— (aa)emerging risks and long-term trends in the marketplace of individual components or standards of communications equipment and services and the supply chain thereof; and
 (bb)strategies to mitigate risks described in item (aa); and (V)analyzing opportunities for asymmetric advantage;
 (ii)the— (I)preparation of unclassified information that raises awareness of risks, including, as appropriate, unclassified versions of any information shared under clause (i); and
 (II)dissemination by the Secretary of the unclassified information described in subclause (I) to private entities that do not have appropriate security clearances; and
 (iii)the voluntary sharing from private entities to the Secretary of information about risks to the marketplace; and
 (B)carry out the procedures developed and issued under subparagraph (A). (2)Manner of presentationThe information shared with private entities under paragraph (1)(A)(i) shall be presented in a manner that identifies, assesses, and prioritizes risks, the mitigation of risks, and opportunities for asymmetric advantage.
				(3)Information shared with or provided to the Federal Government
 (A)No waiver of privilege or protectionThe provision of information to the Federal Government by a private entity under clause (i) or (iii) of paragraph (1)(A) shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.
 (B)Proprietary informationInformation provided to the Federal Government by a private entity under clause (i) or (iii) of paragraph (1)(A) shall be considered the commercial, financial, and proprietary information of the private entity.
 (C)Exemption from disclosure under FOIAInformation provided to the Federal Government by a private entity under clause (i) or (iii) of paragraph (1)(A) shall be exempt from disclosure under section 552(b)(3) of title 5, United States Code.
 (D)Exemption from Federal regulatory authorityInformation provided to the Federal Government by a private entity under clause (i) or (iii) of paragraph (1)(A) shall not be used by any Federal entity to regulate, including through an enforcement action, the lawful activities of the private entity.
 (E)Protection from liabilityNo cause of action shall lie or be maintained in any court against a private entity, and such action shall be promptly dismissed, if the action is related to or arises out of the provision of information to the Federal Government by the private entity under clause (i) or (iii) of paragraph (1)(A).
					(d)Report to Congress
 (1)In generalNot later than 1 year after the date of enactment of this section, and biennially thereafter, the Secretary, in coordination with the head of each appropriate Federal entity, shall submit to the appropriate committees of Congress a report on the implementation of this section.
 (2)ContentsThe report required under paragraph (1) shall— (A)include any recommendations that the Secretary, in collaboration with the heads of the appropriate Federal entities, may have for improvements or modifications to the procedures developed and issued under this section;
 (B)evaluate the effectiveness of the procedures developed and issued under subsection (c)(1)(A); (C)identify processes and procedures that improve the ability of private entities and the Federal Government to adapt to emerging risks to the marketplace;
 (D)provide technical guidance on procurement of communications equipment and services offered by private entities in order to mitigate vulnerabilities;
 (E)include recommendations to streamline the provision of security clearances for relevant private sector actors; and
 (F)assess coordination between the heads of the appropriate Federal entities, including by identifying distinct competencies and jurisdictions of each appropriate Federal entity.
 (3)Form of reportsEach report submitted under paragraph (1) shall be in unclassified form, but may include a classified annex.
 (e)Rule of constructionNothing in this section shall be construed to authorize the Secretary or the head of any other Federal agency to issue new regulations.